Supervision Department CIRCULAR FOR DEFINING AND ACHIEVING SECURITY STANDARDS FOR THE INFORMATION SYSTEM OF A BANK

Size: px
Start display at page:

Download "Supervision Department CIRCULAR FOR DEFINING AND ACHIEVING SECURITY STANDARDS FOR THE INFORMATION SYSTEM OF A BANK"

Transcription

1 Supervision Department CIRCULAR FOR DEFINING AND ACHIEVING SECURITY STANDARDS FOR THE INFORMATION SYSTEM OF A BANK July,

2 Introduction The interpretation of some innovations and issues in the area of banking practices and standards is usually made by working out supervisory circulars. These circulars contain certain guidelines and recommendations arising from the perceptions of the National Bank of the Republic of Macedonia for the application of the international supervisory standards, as well as the features of the banking system and banking regulations in the Republic of Macedonia. Unlike the supervisory standards which are governed by the laws and the by-laws and which are binding, the supervisory circulars are aimed at providing more efficient way of fulfilling the set supervisory standards, i.e. meeting certain legal obligations. The amendments to the Banking Law made in June 2002 required from the National Bank of the Republic of Macedonia to set standards for ensuring the security of the information system of the banks. These provisions underlay the Decision on defining the standards for ensuring the security of the information system of the banks ("Official Gazette of the Republic of Macedonia" no. 77/2003) adopted by the National Bank of the Republic of Macedonia Council in December 2003, which closely determine the risk management and control standards, which are essential from the aspect of the information system security, and the standards for providing business continuity in the banks. Thus, item 22 of the Decision on defining the standards for ensuring the security of the information system of the banks underlies the adoption of this supervisory circular. The recommendations and the guidelines stated in the International information system security management standard (BS7799-2:2002 and ISO/IEC17799:2000E) and the Basel operational risk management paper 1 were used in the development of the above Decision and this circular. The National Bank of the Republic of Macedonia seeks to establish solid standards for the information system security. The application of such standards will ensure higher security of the information stored in the information system and higher degree of data integrity in different types of processing. The information system of the banks needs to be available and accessible to the staff and the clients for smooth performance of the banking operations, as well as to the management bodies for making prudential decisions, within their business needs and authorizations. This circular is not aimed at covering all aspects of information system security management, but it rather serves as a guideline in the defining and the establishment of adequate standards for ensuring information system security, defining of the rights and the responsibilities of the information security officers, and consequently, to provide adherence of the banks in the Republic of Macedonia to the set legal norms for the information system security. 1 Sound Practices for the Management and Supervision of the Operational Risk (Basel Committee Publications No February 2003) 2

3 This circular consists of the following segments: 1. Definition of the information system security 2. Risk management and control process from the aspect of the information system security (hereinafter: Information security process); 3. Place, role and responsibilities of the Board of Directors, the executive body and the audit; 4. Chief Information Security Officer (ISO); 5. Business Continuity Plan; 6. IT outsourcing management; 7. Determination of the pace of implementation. 3

4 1. DEFINITION of the information system security OBJECTIVE The purpose of the establishment of information system security standards is to ensure business continuity and to minimize the possible damage to the bank by active and preventive implementation of controls for mitigating the risk effects that might be caused by security incidents. DEFINITION Information is an asset which has value to the bank, and consequently, needs to be suitably protected. The information system security protects the information from wide range of threats for the purpose of ensuring business continuity, minimizing the business damage and maximizing the income from providing banking services. The information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by mail or by using electronic means, shown on films or disclosed in conversation. The information systems increasingly face threats and exposures to risks arising from various sources, including computer frauds, espionage, hacking, and the new viruses are more frequent, more ambitious and more sophisticated. Regardless of the form of the information or the devices it is conveyed through or stored in, it should always be adequately protected. Information system security is defined as ensuring: 1. Confidentiality - the information is available only to persons who are vested with authorized access thereto. The bank has to establish processes, procedures and controls for protection of the information from unauthorized access; 2. Integrity - protection of the accuracy and the comprehensiveness of the information and the processing methods. The bank has to establish processes, procedures and controls used for prevention from altering the information in an unauthorized manner and unauthorized system management which could weaken the information accuracy, comprehensiveness and reliability; 3. Availability - the authorized users have access to the information and to the other accompanying devices necessary for its presentation, if needed for the business. The bank has to establish processes, procedures and controls used for enabling the authorized users to have access to the information and the systems, if there is a business need. The information confidentiality, integrity and availability could be of essential relevance for maintaining the competitiveness, liquidity, profitability, legal compliance and the reputation of the bank. 4

5 If one of the above principles is not met, or disturbed, the bank's information system shall be considered UNRELIABLE. For the purpose of ensuring information system security, a CONTINUOUS PROCESS of information security should be established, with the bank's management bodies providing a STRONG support. The process should include adequate participation of all employees so that it could be implemented throughout the bank, since the information system security CANNOT be achieved only by technical devices. Business Security Business processes Business Security Organizational Processes Security Projects and Solutions IT Security Infrastructure IT Figure 1 Information system security in the bank cannot be achieved only by technical devices 5

6 2. INFORMATION SECURITY PROCESS The bank has to establish CONTINUOUS process of information security and determine the roles and the responsibilities of the management bodies and the employees. The information security process is a methodology used by the bank for implementation and achievement of the objectives which lead to information system security. The process should be designed such as to provide identification, measurement, control and monitoring of the risks related to the confidentiality, integrity and the availability of the systems and the data. This process should contain the following steps (sub-processes): 1. Risk assessment - the bank has to develop a continuous process of identification of the weaknesses and the threats to its information systems. The process should identify the possibility and the frequency of occurrence of the threats, in order to determine the potential damage if they occur; 2. Information security policy - the bank has to adopt an information security policy, constituting a management STRATEGY (plan) for managing the identified risks (mentioned in the step above) to the bank's information system security; 3. Security control implementation - the bank has to establish administrative, physical and technical control for protecting the information and system security at several levels; 4. Security testing - the bank has to establish a process of professional, independent and impartial testing of the efficiency and the adequacy of the implemented controls specified in the information security policy; 5. Monitoring and upgrading - the bank has to establish a process of continuous gathering and analyzing information from the aspect of the new threats and weaknesses, actual attacks to the bank or other financial institutions combined with the efficiency of the existing security controls. The monitoring and the upgrading will make the information security process continuous Risk assessment The bank has to keep a continuous process of assessing the risks to the information technology, entailing the following steps: Identification of the information system assets of the bank (types of information and types of information transmission systems); Classification of the information system assets of the bank (giving value to the assets); 6

7 Analysis of the probability of occurrence of the threats to and the weaknesses of the system and the possible consequences for the bank's information system; Prioritization depending on the risk size. The assessment of the risk to the information system security constitutes a step of identification of the risks to the information system confidentiality, integrity and availability. The risk assessment process is a necessary step for establishing an information security strategy and policy. The initial risk assessment might require significant one-time effort, but in the future it should be made permanently Identification of the bank's information system assets The information system assets have value to the bank. Therefore they should be suitably protected for the purpose of providing continuous and accurate banking operations. The identification of the assets that constitute a part of the bank's information system, includes analysis of a wide range of information relevant to the functioning of the bank. Any asset, which is a part of the bank's information system, should be clearly identified in this step, with its custodian being defined. For the purposes of this Circular, the following could serve as an asset of the information system of the bank: Electronic documentation - system documentation, instruction manuals, operating procedures, plans, training; Written documentation - agreements, instructions, written credit files, documents containing relevant and confidential data on the bank; Software assets - applications, system applications, developing tools; Physical assets - computers and communication equipment, magnetic media, (tapes and discs), other technical equipment (aggregates, air-conditioning systems), furniture; Human factor - staff; Services - computer and telecommunication services used by the bank, including power and telecommunication connections; This step should result in so-called "Information Book" including all assets considered being main parts of the information system of the bank, their location and custodian. 7

8 This Information Book should include the TECHNICAL INFORMATION BOOK covering the overall hardware, software and telecommunication inventory of the bank, as well as its network diagram. The executive body has to have a basic understanding of the most important components of the system and the manner of transmission and flow of the information through the system. An example of useful information which could be stored in the hardware information book: For servers Manufacturer and model Processor capacity (Million Instructions Per Second - MIPS) RAM memory Memory (HDD, tapes, tape silo ) Network connection Function Location For personal computers (desktops) Manufacturer and model Holder and purpose of holding Network connection Connection with external networks (modem or wireless card) Location For network equipment Manufacturer and model Type IP address There are at least three types of division of the software inventory as follows: operating systems, application software, and so-called back-office software. The application software covers the main banking applications and the main applications used in the bank for operating the personal computers. The so-called back-office software should house all other applications used in the case of support of the primary applications (such as base management software, data protection software, anti-virus software, internet server and application support software and errors and irregularities control software, etc.) An example of useful information which could be stored in the software information book: Name of application (ex. Ledger, retail banking ) Manufacturer or supplier Serial number 8

9 Version level of application Patch level Number of installed copies Number of held licenses Type of license The bank's network infrastructure is of a great relevance to the business continuity. The bank has to hold a network diagram on its information system, fully showing the connection of all components of the information system. The network connection should contain sufficient details such as: Identification of all internal and external connections (including Internet, modems, wireless connecting ) Description of the manner and the type of connection (DSL, ADSL, dialup, wireless) Presenting the connection bandwidth Identification of the encrypted channels or other types of channel for safe communication Presenting the type and the capacity of the network connections (switches, routers, hubs) Presenting the main components for information system security (Firewalls, Intrusion Detection and Prevention Systems and the so-called Honey Pots Systems, if installed) Presenting the open communication ports between the network devices (NOTE: in the banks, only the communication ports needed for business purposes should be open, and all others should be CLOSED. Please note that many technical devices are delivered from the factory with open communication ports) Classification of the bank's information system assets The classification and the evaluation of the assets are the most important factors in the conduct of successful risk analysis. Therefore, the major critical components of the system should be identified, i.e. to recognize its boundaries, to determine the sensitivity and the importance of the hardware and the software, the information which are stored, processed and transmitted. The system classification is a segregation of the information system by the information sensitivity. The banks should decide on the type of their information classification and the manner of their protection. In the case there is no evaluation 9

10 of the sensitivity of the assets and the information, all other assets and information shall be considered highly sensitive and all of them should be subject to proper security controls. Key part in the assets classification is the ranking of data, documents and systems according to their importance to the successful performance of the bank's operations and the potential damage from the inadequate manner of keeping the sensitive information, such as: Confidential data, business secret; Public, internal, confidential and top secret assets or documents, etc. The ranking and the evaluation of the documents should be made together with the bank's staff who directly manages them. The employees are aware of the real loss and the potential damage the bank could suffer from the inadequate management of the sensitive documentation. The value given to the information system assets should be in correlation with the expense for the purchase and maintenance of the assets and the potential impact from the loss of confidentiality, integrity and availability of the asset to the bank. The bank should develop its own merit scale for the information system assets which will show the loss of the bank from the disturbed confidentiality, integrity and availability, such as: Low, medium and high or Very low, low, medium, high and very high. The bank should define its evaluations and limits for successful classification of the information security assets. As a result of this step, the Information Book should be updated with the classification and the evaluation of any identified asset, according to each criterion (confidentiality, integrity, availability) Analysis of the probability of THREATS and WEAKNESSES Identification of THREATS and WEAKNESSES of the systems Threat is a potential undesired event which could cause damage to the stable operating of the information system, and consequently, to the stable operating of the bank itself. The weaknesses are related to certain information system assets. The weaknesses of the system do not cause damage by themselves. The threats to the information system security use the weaknesses of certain assets to cause instability of the bank's system. The threats are identified and measured by creating and analyzing scenarios. 10

11 The weaknesses of the bank's information system should be identified, and they could be of: physical nature - lack of physical security; administrative nature - lack of properly trained staff, lack of work procedures; technical nature - inadequacy of the technical configuration Therefore the following should be done: identification of the weak internal control systems and the organizational weaknesses (such as weak support from the executive body, inadequate training of the staff, inadequate expertness and staffing, improper work procedures and policies); identification of the technical weaknesses (such as weaknesses in the existing hardware and software, weak (basic) configuration of the servers, networks and tellers); identification of inadequate and insufficient physical security of the bank; identification of the new security recommendations and requirements of the regulations; identification of the threats to the information system arising from dishonest persons, staff and others who could, deliberately or accidentally, cause damage, as well as external effects beyond control of the bank (such as earthquake, flood, fire, inaccessibility to telecommunications or electricity, etc.); This identification step produces a list of wide range of weaknesses for a certain information system assets and threats which could be associated to a certain weakness. Threat Potential weakness Risk Virus Lack of anti-virus protection Virus infection Hacker Weak (basic) configuration of the bank's server Unauthorized access to confidential data Staff Irregular configuration of the System error tellers Fire Lack of fire extinguishers Damaging of the building and the equipment Staff Improper application access controls Unauthorized access to confidential data (Table 1 - Examples of threats to the bank's information system assets) 11

12 Analysis of the probability of threats and the possible consequences for the bank The executive body should use the data processed in the previous steps and make an analysis of the assets and the risks associated thereto. The analysis should identify the different events and threats that could adversely affect the achievement of the strategic and operating objectives of the bank. The probability analysis of a threat to cause a damage to the bank by using certain weakness should be ranked on an adequate scale: Very likely - it is likely that the threat will occur; Likely - the threat could occur, but there are some protection mechanisms; Unlikely - it is unlikely that the threat will occur, since there are adequate protection mechanisms in place. The analysis of the occurrence of certain threats should take account of: Deliberately caused threats; Accidentally caused threats. Accidental threats are incidents resulting from inadequate internal control systems and improper work procedures, inadequate access controls and lack of physical security or natural disasters. Deliberate threats are usually caused by highly motivated intruder (paid by the competition, former employee, etc.) who can use the weaknesses of the information system of the bank. The analysis of the probability and the possible damage to the bank should be analyzed by using scenarios. The scenarios should entail intrusions to the physical security, the technical security and scenarios where the staff does not adhere to the administrative work procedures. Mostly, the intruders of the socalled "social engineering" type are intruders to the bank seeking to get information for which they are not authorized, by manipulating the thrust of the staff of the bank. In that case, the adequacy and the efficiency of the adherence to the security procedures of the employees in the bank should be regularly tested, particularly those who work with sensitive documentation. Often the intruder can easily get sensitive documentation or access codes and passwords in this manner, rather than through an external intrusion of the information system (ex. through the Internet). 12

13 Risk measurement methods There are two generally accepted risk measurement methods such as: QUANTITATIVE method and QUALITATIVE method. The idea for establishing such risk measurement methods is to form a list of potential threats and real financial damages to the bank. The executive body should, using the list, develop a strategy for mitigating the high risks by compiling priority lists of activities for implementing suitable controls and accepting all other risks Quantitative risk analysis This method gives values from the extent of probability, such that as real number as possible should be given to the respective coefficients. Basic coefficients should be defined for this approach such as: asset value, frequency of occurrence of the threat, control efficiency, probability of occurrence of the threat, etc. This approach requires well understanding of all coefficients, so that they could be incorporated in an equation, with a view of successful risk measuring. This approach should define: SLE - (Single Loss Expectance) - a loss, presented in Denars, suffered by the bank in the case of such event; AV- (Assets Value); EF - (Exposure Factor) - is a percentage of the loss which will cause the threat to the asset value; By defining the above coefficients, the following equation could be derived: SLE = AV x EF Example: If a server of the bank is worth Denar 1,000,000 (AV = 1,000,000), and a fire breaks out in its location, the damage to the server from the fire is calculated to be 25% (EF = 25%). This coefficient varies if the bank (does not) have proper physical controls in place (such as fire protection devices). In such case, the loss from a single expectance would be: SLE = AV x EF = 250,000 The following coefficients are defined below: ARO - (Annual Rate of Occurrence) is a frequency of occurrence of an event within a year. It ranges from 0,00 (never) to 1,00 (always) 13

14 ALE - (Annual Loss Expectance) is an annual loss from occurrence of an event according to the coefficient for occurrence of the event (ARO). The above leads to the conclusion that: ALE = SLE x ARO The example should further define the ARO coefficient, i.e. if a fire breaks out once in ten years (statistically) in this region, than ARO = 0,1 and we can calculate that: ALE = SLE x ARO = 250,000 x 0,1 = Denar 25,000. This value (ALE) defines the maximum annual value the executive body could spend for protection of the assets (server) from the respective threat (fire). If the executive body spends more than the maximum annual value a year, there is no economic justification for the investments for implementation of such controls, since the damage in real terms will be lower than the funds spent for control of the occurrence of such damages. Prior to the implementation of the security controls for mitigation and risk control it should be ensured that they are economically justified. The bank SHOULD NOT invest in control protection mechanisms the price of which exceeds the total value of the asset of the bank. In this type of risk analysis, as more real coefficients and values as possible should be given so that the management could obtain more real and quantitative picture of the losses from different threats Qualitative risk analysis This risk analysis method consists of discussion and analysis of different types of scenarios and potential risks to the stability and the safe operations of the bank. This method includes teamwork of experienced staff who understands the overall operations of the bank and is aware of the potential risks. The ISO elaborates the possible scenarios to the team and proposes and offers solutions that could contribute towards preventive circumventing of the threat. This method ranks the gravity of the threat and ranks possible solutions for risk mitigation (ranking of the efficiency of certain possible security controls). Each team member ranks the gravity of the threat and the potential loss to the bank. The bank should develop an internal ranging scale which could be descriptive (low, medium, high) or numerical (1, 2, 3, 4, 5). When the team completes the ranking of the gravity of the threat and the risk, and thus the ranking of the efficiency of the individual controls, a report should be prepared and submitted to the executive body so that they can make reasonable judgement and more efficient control for providing more secure information system. Example: We take a scenario where the bank was intruded by an external third party and several credit files were stolen from the loan officers. The team participating in these scenarios should be experienced and understand the control 14

15 and procedures in place applied to whole bank. They value the size of the threat and the probability of it to arise, ranging them from 1 to 5 (1-lowest, 5-highest). What would be the consequences for the bank and what are the possible implications on the future operations of the bank? Finally, the efficiency of certain controls, which are to be offered as proper solutions for mitigating the risk level of the threat, is also ranked. The summary results should be presented to the executive body which, on the basis of this report, should conclude that this threat to the bank is fairly high, and that the most appropriate solution for mitigating this risk is the installation and configuration of firewall (Table 2). Threat: Hacker gets an access to confidential data of the bank (credit files) IT manager Control 1: Firewall efficiency 4 Control 2: Efficiency of the Intrusion Detection System (IDS) Size of the threat Probability of occurrence Loss to the bank Administrator Programmer Department manager (loans) Officer (loan) RESULTS Table 2. Example of qualitative risk analysis The risk of each scenario is a function of the probability the event to occur and the possible damage to the bank. As a result of this step, a probability analysis should be made stating that certain threat could use respective weakness of some information system assets and the damages (quantitative or qualitative) to the bank from disturbing the information confidentiality, integrity or unavailability of parts of the bank's information system Giving priority This step ranks the risk (probability and damage) of different scenarios with a view of presenting the risk and the results thereof in analytical form. The derived risk analysis should serve for developing a list of priorities that are to be solved by the executive body. As for the risks that could cause large damage to the bank, the executive body will have to response promptly or establish a timeframe for their mitigation. The executive body can decide to accept risks of lower degree and not to introduce controls for their mitigation. This step includes selection of the level implying the boundary between the risk control and acceptance of the risks by the executive body. The risks that require action should be elaborated in the information security policy. 15

16 2.2. Information security policy The information security policy is a FUNDAMENT of the development of the information security process. Also the policy should provide for developing additional issues from the aspect of security. The procedures, standards and the instructions resulting from the policy will contribute towards more precise, gradual developing of all aspects for ensuring reliable and consistent information system. The information security policy should be established according to the top-down principle in the bank. Therefore A STARTING POINT of the information security process is the executive body of the bank. The executive body should elaborate on the manner of establishing the information security process in the bank, which are its objectives (strategic) and explain its implementation at various levels of the bank. The policy should define the risk assessment methodology and the quantity of risk acceptable for the executive body, and also, the manner of managing high risk. The policy should also state the policies resulting from this information security policy Standards, guidlines and procedures The information security policy should be developed by working out additional security policies and accepting standards, as well as working out instructions and procedures for their further explaining and developing. The standards define the activities, presented as rules and restrictions, which ensure achievement of the defined objectives with the information security policy. Example: If we seek to achieve encryption of the overall confidential documentation, the bank will have to specify encryption standard in order to achieve more reliable information system. The bank has to specify the standards it will follow and adhere to. The guidlines contain more detailed instructions for the activities which are to be undertaken and applied and give operating guidelines for the system users. All recommendations given by the management should be stated in the instructions. The procedures constitute precise steps which are to be undertaken for the purpose of achieving certain policy objectives. The procedures could be communicated to the end users, employees who are to conduct certain activities for improving the security of the bank as a whole. The procedures specify the manner of implementation of the policies, standards and guidlines in the bank. Example: if the "backup" is declared to be a standard in the bank, the procedures should develop, in details, the backup process, its timeframes, storage 16

17 Figure 2 (shows the pyramid of developing an information security policy by working out information security standards, instructions and procedures) The key factors that affect the success of the information security policy are given below: Obtaining support and active participation of the executive body; Conduct of comprehensive analysis of risks to the bank's information system; Successful information system classification; Implementation of security controls for the purposes of risk control and management; Establishment of a set of precisely defined moral and ethical codes of conduct of the staff regarding the information system security; Getting a statement (confirmation) from all employees that they read and understood the information security policy, particularly the part referring to reasonable usage of the bank's information systems; Providing adequate staff training and education for the information system security; Annual policy revision, the amendments to which will be specified by the Board of Directors. Key elements of the information security policy which are to be developed by additional polices, standards, instructions and procedures are: - information classification for the purpose of this Circular implies ranking of information in the bank by the degree of their sensitivity (example: public, confidential, top secret ) 17

18 - training of the staff regarding the proper (reasonable) usage of the information system of the bank (proper operation of the bank applications, proper usage of Internet and for business purposes). The bank should define the activities which should not be preformed with the bank's information system (such as ban on installing hardware and software which could disturb the security of the overall system, modems, wireless communication, viruses). This policy should be communicated to all employees and to those who have access and business need of the information system (staff, outsourcing ), who have to sign a statement confirming that they read and understood it; - Definition of the role of the internal and the external audit from the aspect of ensuring the information system security; Definition of the role of the Internal Audit Department from the aspect of testing and assessing the efficiency of the implemented control systems regarding the information system security. Also the Internal Audit Department should take active role in the definition of the necessary audit and control traces kept within a certain time period; - Definition of the relation with the outsourcing of the bank. Definition of the manner of access of the IT outsourcers to the bank and definition of the legal norms in the contracts with the outsourcers and the uniform rules for selection of outsourcing; - Definition of the control of access to certain resources of the bank (manner of user control and identification); - Monitoring of configurations (security upgrading, upgrading of new versions, changes in parameters and codes of applications, preparation and migration of the application in production); Definition of the manner of upgrading of the system, more precisely the operating systems, the bank's applications and conducting data conversions. The executive body is recommended to organize these assignments by establishing project teams having precisely defined objectives and accomplishment periods. - Establishment of a Business Continuity Plan (hereinafter BCP) of all business functions of the bank; - Establishment of an anti-virus protection; - Definition of telecommunications (modems, firewalls, monitoring systems, alarming and recording of unauthorized access to the information system, encryption); The internal control techniques and systems used for providing functionality of a certain service (such as Internet, , e- banking). The internal control techniques and system are aimed at preventing from and detecting a possible internal or external intrusion and establishing a response processes in the event of potential intrusion on the information system of the bank. 18

19 - Restriction of physical access (ban on unauthorized physical access to certain areas in the bank); Example: Division of the bank into security zones. Each security zone can have its own specific physical access controls. - Establishing additional security mechanisms (fire protection, flood protection, monitoring, sensors, alarms); - Protection of the inventory from theft or unauthorized taking of media, hardware or software out of the bank, etc.; Apart from the physical security, these objectives could be achieved by introducing internal control systems, that is establishing efficient systems of recording, keeping, transmitting and writing off parts of the information system. - Definition of activities undertaken when the bank suspects or identifies an incident related to the information system security, which is to be reported to the National Bank of the Republic of Macedonia and the Ministry of Interior. The banks should submit the notification (Annex 2 to this Circular) to the National Bank of the Republic of Macedonia within five days after this security incident is being identified. These proposed elements could be considered a starting point for developing the information security policy. Additional elements, which are not included in this Circular, but are relevant to the information system security of the bank, might also need to be developed. 2.3 Implementation of security controls The information system security could be ensured by several control levels: physical, technical and administrative. These three categories can be additionally divided into prevention and detection controls. The prevention controls are aimed at preventing undesired events, and the detection controls seek to detect the event after its occurrence. Adequate physical, technical and administrative controls should be undertaken for achieving the desired level of information system security, as well as balance between the prevention and detection controls for the purpose of achieving the objectives of the information security policy. The combinations of physical, technical and administrative controls that are the most suitable to a specific circumstance might be identified only by conducting a comprehensive risk analysis. There is no universal pattern which could be copied from other banks Physical controls The physical controls serve for ensuring adequate physical security in the bank. Examples of physical controls are locks, guards, badges, alarms and similar measures for control of the access to the information systems of the bank. These measures are 19

20 aimed at preventing from possible threats such as espionage, alienation and destruction or damaging caused by an accident or natural disaster (flood, earthquake ) Physical prevention controls Physical prevention controls are used for preventing from unauthorized access to the information systems and for protecting from natural disasters. These controls are the following: Data protection - in the case of deliberate or accidental destruction of data or documentation, the protected data should be available and accurate. The protected data should be kept on a safe location constructed of noncombustible materials. The protected data should be kept on a remote location with an aim to avoid the risk of destruction of the original and protected data and systems from the same security incident. The protected data of sensitive nature should have the same protection level as the original data; Fence - the fence can be additionally monitored by cameras or secured with alarm systems. Guard service - stationed at the entrance of the building with an assignment to allow access of authorized persons on the premises of the bank. The guards are efficient only if provided with procedures for the assets which can (not) be taken out of the bank without prior authorization. The efficiency of the guard service can be even larger if supported by alarm appliances and warning indicators which they could follow; Badges - the physical security could be controlled only by issuing adequate badges valid only for the respective security zone of physical access; Locks and keys - most often used for control of access to restricted areas. Since it is hard to control the copying of the keys, most banks avoid the regular locks and keys. Coded locks are recommended (such as combination of numbers pressed in certain order which opens the door); Power generators - the information systems are highly available, even in the case of interruption in the power supply. This is usually achieved by a combination of battery-based generators, so called UPS and power generators on petrol, diesel, kerosene or some natural gas. The executive body should make sure that the battery-based generators and the central power generator are properly configured throughout the bank. Their work needs to be synchronized, i.e. when there is a shortage of power, first, one should turn on the electric battery-based generators (time in milliseconds) during which one should start and put into operation the central power generator. The UPS systems should generate power sufficient for reasonable time period and for continuity in the operation of the information equipment by the time the power supply resume or by the 20

21 time the power generator takes over the operation. The power generator should be able to ensure business continuity of the bank for a period of two to three days. The bank should periodically test the power generator with the aim to verify its functionality. Selection of location (Primary and alternative) - it should be made carefully so as to avoid the evident predictable risks in the area where it is located. (Ex. to avoid the risks of flood, earthquakes or fires in the area. To avoid location close to airports or railroads in order to avoid the vibrations which might damage the electronic devices). Fire protection devices - devices the purpose of which is to protect from and bring the potential fire in the bank under control. The purpose is to prevent from disaster, casualties and loss to the infrastructure of the bank. The information system is an important part of the infrastructure of the bank and therefore it should be appropriately protected from fire. The information systems should be located far from the potential fire activators (kitchens, bars ). The furniture in the computer room should be made of noncombustible material. The fire extinguishers should be properly deployed in the bank so as to be available in the case of fire. The staff should be trained and educated to handle these devices and to understand the procedures that are to be followed in the case of fire. Usually, automatic fire extinguishers are installed in the ceiling of the computer center. The risk of extinguishing with water in the computer center is far higher than the fire itself. If the fire is extinguished with water or foam, the room should have special water-resistant covers for covering the critical equipment before the fire is brought under control. Special gases are recommended which squeeze out the oxygen, thus bringing the fire under control, in places where the staff has already been or can easily be evacuated Physical detection controls The physical detection controls warn the information security officers that the physical protection measures are disturbed. These controls can be: Motion detectors - installed in the computer rooms where there are no people, or can be turned on throughout the bank after the working hours. The motion detectors have to be permanently monitored by the guard service; Smoke and fire detectors - should be installed on the ceiling and in the double floor. As the technology advances, the so-called VESDA systems are invented which represent early fire detection systems. These detectors are far more sophisticated and improved compared to the conventional fire detectors. They permanently take a sample of the air in the premise and can easily detect burnt cable or wire in the early stage and alarm the management. The bank should regularly control and run tests checking the accuracy of all smoke and fire detectors. 21

22 CCTV monitors - the aim is to obtain audio and video surveillance of the areas which are to be under permanent monitoring (such as the entire computer hall, the bank's main server, entrances or exits, etc.); Sensors and alarms - should continuously monitor the equipment work environment and make sure that the work temperature of the air and humidity in the room specified and recommended by the manufacturer are achieved Technical controls Technical controls are controls built in the information equipment, the application software, the communication equipment and the supporting devices by the manufacturer of the equipment. The technical controls are also called logical controls Technical prevention controls The technical prevention controls are used for preventing persons, applications or processes from getting access to the information resources for which they have no authorization: Access control lists - the bank should establish control of the access to certain information resources. In most systems, the access to data and applications is implemented with access control lists to the information system resources. These lists give access to certain resources only to authorized and registered users; Anti-virus - the bank has to have an anti-virus application in place at the bank level. The significance of this application has to be emphasized, since it takes epidemiological proportions in the information world. The risks related to the viruses are very high, as they can cause business discontinuity in the bank and loss of data. This software is usually "updated" daily for the purpose of adding new definitions of viruses which occur every day. User name and password - the user names of the information system should be the only way of identifying the system users. One should avoid opening user names on the bank's system which cannot carry out a single user identification. It is not recommended to open user names such as bank, names of organizational units, names of outsourcers and other general names which cannot precisely identify the user who worked on the system and whether they have the required authorization level. There is no magic rule for the selection of passwords, but it depends on the environment and the security level one seeks to achieve. 22

23 Here are only few considerations related to the passwords: Costs for password replacement; Risk of breaking through the password (see table 1); Manner of distribution to the end users; Possibility of breaking through the password; Number of allowed wrong attempts. Recommendations for password management: Validity: 120 days for common users; Validity: 60 days for privileged users; Validity: 30 days for security persons; The user can change the password before it expires; Keeping audits trails of the changes in the passwords. Type of password Length Possible combinations Letters (lowercase and uppercase) Letters (lowercase and uppercase) Letters (lowercase and uppercase) and numbers Letters (lowercase and uppercase), numbers and special symbols Letters (lowercase and uppercase), numbers and special symbols Time for breaking through 6 characters Less than a minute 6 characters day 6 characters days 6 characters weeks 9 characters thousands of years Table 1. Types of passwords and time necessary for braking through with the power of the information technology Smart cards - plastic cards with a built-in computer chip (memory/processor). The cheap may be either microprocessor with an internal memory or only memory. The smart card memory may contain encrypted data, which may serve for authentication of the user. In combination with the PIN number verification, they offer a reliable authentication at two levels. They are recommended for access to the bank's most sensitive documentation. Also smart cards can serve for electronic documentation management and 23

24 electronic signing of documents under the regulations governing the electronic signature and for the purposes of E-Banking. Encryption - is a transformation of the pure text to so-called incomprehensible (encrypted) text using cryptographic techniques. Encrypting is recommended in the transmission of sensitive information. There are two manners of encryption: hardware and software; Remote access control - system of internal technical controls aimed at mitigating the risk of unauthorized access of outsiders to the bank's information system. If there is a remote access to the system of the bank, it should permanently monitor and follow the audit trails defined for the purposes of the remote access. The bank has to carry out all necessary controls so as to increase the security of the type of solution (callback, VPN, encrypting, Access servers, etc.) Technical detection controls These controls are used for detection of the impacted technical prevention controls installed in the system and for alarming the protection and control systems. They are the following: Audit trails - snapshots of the system activities which can reconstruct and audit the sequences in the case of transaction, from top to bottom. The above provides a significant evidence and trail in the attempt of disturbing the established information system policy. These reports should be controlled on a regular basis, monitored by the Information Security Officer (hereinafter: ISO) for the purposes of analyzing the unauthorized access; Intrusion Prevention and Detection System - the bank should have systems in place for prevention or detection of an incident or disturbances of the security policy as they occur, rather than after they occur. Any unauthorized activity shall be reported to the ISO who undertake coordinated response. These systems should be implemented particularly in the part of access to Internet or E-Banking services (irrespective of the type of the system, open/closed). This will help the implementation of an effective, fast and reliable warning system in the case of more serious disturbances in the defined information security policy of the bank Administrative controls Administrative controls include establishment of procedures, instructions, strategies and security policies which grant the staff, who has an access to the information system, the authorization necessary for conducting its business processes and have a clear picture of the activities regarding the provision of more reliable information system. 24

25 Administrative prevention controls These controls are mostly oriented to controlling the staff conduct for the purposes of ensuring confidentiality, integrity and availability of the information system. They are as follows: Registration of the user for operating the system - with this the staff is formally conferred the rights and privileges for operating the system for the purpose of performing their business activities. Prior to the registration, the user has to understand and agree on the operations that they are (not) allowed to perform on the information system. The bank should keep statements signed by all employees that they understand the manner of reasonable (adequate) usage of the information system of the bank. The statements should indicate their responsibilities from the aspect of providing higher security of the system and the measures which are to be undertaken in the case they cause a security incident. Procedures for recruiting and termination - the bank should have procedures in place for recruiting employees. There should also be procedures for dismissing employees, regardless of the manner of terminating the employment, for the manner of closing and blocking the profile of the employee opened in the system, as well as transferring of all keys, badges, laptops and other assets available to them. The user profile should be deleted (disabled) or adjusted and assigned to the employees who replace them. Contracts - in this light, the bank should pay special attention to the consequences of the Law on Copyright and Related Rights ("Official Gazette of the Republic of Macedonia" no. 47/96, 3/98 and 98/02) regulating the term copyright, its usage and transfer, protection of rights, monitoring of the implementation of the Law and the sanctions in the case of violation of the provisions thereof. This primarily applies to banks that have original codes for their banking applications and that have teams of programmers for developing their applications. Security training - The bank should organize training for proper usage of the applications and the supporting applications necessary for efficient conduct of the business processes. This training is aimed at raising the level of awareness in the bank in respect of the need for information system security. The end users should understand the measures and the controls in place throughout the system. If the employees do not understand the relevance of the controls in place, they might not implement them, in other words they could weaken the overall security program. Generally speaking, all employees should understand the manner of protection of certain sensitive data, be aware of the viruses and the manner of their expansion and who should be alarmed in the case of errors or security incidents. 25

Regulations on Information Systems Security. I. General Provisions

Regulations on Information Systems Security. I. General Provisions Riga, 7 July 2015 Regulations No 112 (Meeting of the Board of the Financial and Capital Market Commission Min. No 25; paragraph 2) Regulations on Information Systems Security Issued in accordance with

More information

Decision on adequate information system management. (Official Gazette 37/2010)

Decision on adequate information system management. (Official Gazette 37/2010) Decision on adequate information system management (Official Gazette 37/2010) Pursuant to Article 161, paragraph (1), item (3) of the Credit Institutions Act (Official Gazette 117/2008, 74/2009 and 153/2009)

More information

SITECATALYST SECURITY

SITECATALYST SECURITY SITECATALYST SECURITY Ensuring the Security of Client Data June 6, 2008 Version 2.0 CHAPTER 1 1 Omniture Security The availability, integrity and confidentiality of client data is of paramount importance

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior GAO United States General Accounting Office Report to the Secretary of the Interior July 2001 INFORMATION SECURITY Weak Controls Place Interior s Financial and Other Data at Risk GAO-01-615 United States

More information

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security

More information

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities Agenda Information Security Management in Universities Recent

More information

RS Official Gazette, No 23/2013 and 113/2013

RS Official Gazette, No 23/2013 and 113/2013 RS Official Gazette, No 23/2013 and 113/2013 Pursuant to Article 15, paragraph 1 and Article 63, paragraph 2 of the Law on the National Bank of Serbia (RS Official Gazette, Nos 72/2003, 55/2004, 85/2005

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

IT - General Controls Questionnaire

IT - General Controls Questionnaire IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Technology General Controls Review (ITGC) Audit Program Prepared by: Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

More information

Management Standards for Information Security Measures for the Central Government Computer Systems

Management Standards for Information Security Measures for the Central Government Computer Systems Management Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 1.1 General...

More information

Supplier IT Security Guide

Supplier IT Security Guide Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014 The Practice of Internal Controls Cornell Municipal Clerks School July 16, 2014 Page 1 July 18, 2014 Cash Receipts (Collection procedures) Centralize cash collections within a department or for the local

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS 357-7 8. Risk Assessment 357-7

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS 357-7 8. Risk Assessment 357-7 Information Technology Management Page 357-1 INFORMATION TECHNOLOGY MANAGEMENT CONTENTS CHAPTER A GENERAL 357-3 1. Introduction 357-3 2. Applicability 357-3 CHAPTER B SUPERVISION AND MANAGEMENT 357-4 3.

More information

Guide to Vulnerability Management for Small Companies

Guide to Vulnerability Management for Small Companies University of Illinois at Urbana-Champaign BADM 557 Enterprise IT Governance Guide to Vulnerability Management for Small Companies Andrew Tan Table of Contents Table of Contents... 1 Abstract... 2 1. Introduction...

More information

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,

More information

How To Protect Decd Information From Harm

How To Protect Decd Information From Harm Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Managed Hosting & Datacentre PCI DSS v2.0 Obligations Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version

More information

Information Technology Security Procedures

Information Technology Security Procedures Information Technology Security Procedures Prepared By: Paul Athaide Date Prepared: Dec 1, 2010 Revised By: Paul Athaide Date Revised: September 20, 2012 Version 1.2 Contents 1. Policy Procedures... 3

More information

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

OCC 98-3 OCC BULLETIN

OCC 98-3 OCC BULLETIN To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

Music Recording Studio Security Program Security Assessment Version 1.1

Music Recording Studio Security Program Security Assessment Version 1.1 Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND

More information

Hengtian Information Security White Paper

Hengtian Information Security White Paper Hengtian Information Security White Paper March, 2012 Contents Overview... 1 1. Security Policy... 2 2. Organization of information security... 2 3. Asset management... 3 4. Human Resources Security...

More information

Application Development within University. Security Checklist

Application Development within University. Security Checklist Application Development within University Security Checklist April 2011 The Application Development using data from the University Enterprise Systems or application Development for departmental use security

More information

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed) Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed) 01.1 Purpose

More information

HIPAA RISK ASSESSMENT

HIPAA RISK ASSESSMENT HIPAA RISK ASSESSMENT PRACTICE INFORMATION (FILL OUT ONE OF THESE FORMS FOR EACH LOCATION) Practice Name: Address: City, State, Zip: Phone: E-mail: We anticipate that your Meaningful Use training and implementation

More information

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE NETWORK RESOURCES POLICY

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE NETWORK RESOURCES POLICY State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE NETWORK RESOURCES POLICY Effective December 15, 2008 State of Illinois Department of Central Management Services

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

PCI Data Security and Classification Standards Summary

PCI Data Security and Classification Standards Summary PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Information Systems Security Assessment

Information Systems Security Assessment Physical Security Information Systems Security Assessment 1. Is the server protected from environmental damage (fire, water, etc.)? Ideal Answer: YES. All servers must be housed in such a way as to protect

More information

RISK ASSESSMENT GUIDELINES

RISK ASSESSMENT GUIDELINES RISK ASSESSMENT GUIDELINES A Risk Assessment is a business tool used to gauge risks to the business and to assist in safeguarding against that risk by developing countermeasures and mitigation strategies.

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Polish Financial Supervision Authority. Guidelines

Polish Financial Supervision Authority. Guidelines Polish Financial Supervision Authority Guidelines on the Management of Information Technology and ICT Environment Security for Insurance and Reinsurance Undertakings Warsaw, 16 December 2014 Table of Contents

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference

FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS Workpaper Reference Date(s) Completed Organization and Staffing procedures used to define the organization of the IT Department. 2. Review the organization

More information

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS 11-1 CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS INTRODUCTION The State Board of Accounts, in accordance with State statutes and the Statements on Auditing Standards Numbers 78

More information

Security Management. Keeping the IT Security Administrator Busy

Security Management. Keeping the IT Security Administrator Busy Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

Management Standards for Information Security Measures for the Central Government Computer Systems

Management Standards for Information Security Measures for the Central Government Computer Systems Management Standards for Information Security Measures for the Central Government Computer Systems April 26, 2012 Established by the Information Security Policy Council Table of Contents Chapter 1.1 General...

More information

Best Practices For Department Server and Enterprise System Checklist

Best Practices For Department Server and Enterprise System Checklist Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS Information Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT)

More information

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,

More information

Official Journal of RS, No. 86/2006 of 11. 08. 2006 REGULATION

Official Journal of RS, No. 86/2006 of 11. 08. 2006 REGULATION Official Journal of RS, No. 86/2006 of 11. 08. 2006 Pursuant to Articles 10, 23, 36, 40, 43, 47, 53, 54, 63, 71, 72, 73, 74, 88 and 91 of the Protection of Documents and Archives and Archival Institutions

More information

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control

More information

PROCEDURE FOR SECURITY RISK MANAGEMENT IN PPC S.A. INFORMATION TECHNOLOGY SYSTEMS DA-1

PROCEDURE FOR SECURITY RISK MANAGEMENT IN PPC S.A. INFORMATION TECHNOLOGY SYSTEMS DA-1 PUBLIC POWER CORPORATION S.A. INFORMATION TECHNOLOGY DIVISION CENTRAL SYSTEMS SUPPORT SECTION IT SYSTEMS SECURITY SUBSECTION PROCEDURE FOR SECURITY RISK MANAGEMENT IN PPC S.A. INFORMATION TECHNOLOGY SYSTEMS

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

ADM:49 DPS POLICY MANUAL Page 1 of 5

ADM:49 DPS POLICY MANUAL Page 1 of 5 DEPARTMENT OF PUBLIC SAFETY POLICIES & PROCEDURES SUBJECT: IT OPERATIONS MANAGEMENT POLICY NUMBER EFFECTIVE DATE: 09/09/2008 ADM: 49 REVISION NO: ORIGINAL ORIGINAL ISSUED ON: 09/09/2008 1.0 PURPOSE The

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L. Document No: IG10d Version: 1.1 Name of Procedure: Third Party Due Diligence Assessment Author: Release Date: Review Date: Lauren Hamill, Information Governance Officer Version Control Version Release

More information

Aproved by: doron berger Data Security Manager - National Security unit

Aproved by: doron berger Data Security Manager - National Security unit Israel Electric Corporation National Security unit Data Security Security of critical project performed by vendor abroad Aproved by: doron berger Data Security Manager - National Security unit Project

More information

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security. assistance with implementation of the. security standards. This series aims to HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

The Contractor's Responsibility - Preventing Improper Information Process

The Contractor's Responsibility - Preventing Improper Information Process BRIGHT HORIZONS BASELINE THIRD PARTY SECURITY REQUIREMENTS Version 1.0 (updated March 2015) Contents SECTION 1:... 3 REQUIREMENTS INTRODUCTION AND BACKGROUND... 3 1. SUMMARY... 3 2. DEFINITIONS... 3 3.

More information

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA

More information

Retention & Destruction

Retention & Destruction Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of

More information

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Rule 4-004L Payment Card Industry (PCI) Physical Security (proposed) 01.1 Purpose The purpose

More information

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2 Texas Wesleyan Firewall Policy Purpose... 1 Scope... 1 Specific Requirements... 1 PURPOSE Firewalls are an essential component of the Texas Wesleyan information systems security infrastructure. Firewalls

More information

Major Risks and Recommended Solutions

Major Risks and Recommended Solutions Major Risks and Recommended Solutions www.icdsecurity.com OVERVIEW Are you familiar with the main security risks that threaten data centers? This paper provides an overview of the most common and major

More information

Solution Brief for ISO 27002: 2013 Audit Standard ISO 27002. Publication Date: Feb 6, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Solution Brief for ISO 27002: 2013 Audit Standard ISO 27002. Publication Date: Feb 6, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045 Solution Brief for ISO 27002: 2013 Audit Standard Publication Date: Feb 6, 2015 8815 Centre Park Drive, Columbia MD 21045 ISO 27002 About delivers business critical software and services that transform

More information

Supply Chain Security Audit Tool - Warehousing/Distribution

Supply Chain Security Audit Tool - Warehousing/Distribution Supply Chain Security Audit Tool - Warehousing/Distribution This audit tool was developed to assist manufacturer clients with the application of the concepts in the Rx-360 Supply Chain Security White Paper:

More information

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand

More information

Better secure IT equipment and systems

Better secure IT equipment and systems Chapter 5 Central Services Data Centre Security 1.0 MAIN POINTS The Ministry of Central Services, through its Information Technology Division (ITD), provides information technology (IT) services to government

More information

Certified Information Systems Auditor (CISA)

Certified Information Systems Auditor (CISA) Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the

More information

Information Technology Branch Access Control Technical Standard

Information Technology Branch Access Control Technical Standard Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,

More information

Information Resources Security Guidelines

Information Resources Security Guidelines Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

More information

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure Bendigo and Adelaide Bank Ltd Security Incident Response Procedure Table of Contents 1 Introduction...1 2 Incident Definition...2 3 Incident Classification...2 4 How to Respond to a Security Incident...4

More information

Security. Enalyzer A/S

Security. Enalyzer A/S Enalyzer A/S Security At Enalyzer we do our outmost to keep our customer s data safe and our web-based survey systems accessible at any time. Our high level of performance, availability and security are

More information

How To Write A Health Care Security Rule For A University

How To Write A Health Care Security Rule For A University INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a

More information

Nine Steps to Smart Security for Small Businesses

Nine Steps to Smart Security for Small Businesses Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

GE Measurement & Control. Cyber Security for NEI 08-09

GE Measurement & Control. Cyber Security for NEI 08-09 GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4

More information

Introduction. PCI DSS Overview

Introduction. PCI DSS Overview Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,

More information

DATA SECURITY POLICY. Data Security Policy

DATA SECURITY POLICY. Data Security Policy Data Security Policy Contents 1. Introduction 3 2. Purpose 4 3. Data Protection 4 4. Customer Authentication 4 5. Physical Security 5 6. Access Control 6 7. Network Security 6 8. Software Security 7 9.

More information

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Data Handling in University Case Study- Information Security in University Agenda Case Study Background

More information

FRAMEWORK. Continuous Process Improvement Risk, Information Security, and Compliance

FRAMEWORK. Continuous Process Improvement Risk, Information Security, and Compliance FRMEWORK Continuous Process Improvement Risk, Information Security, and Compliance The pragmatic, business-oriented, standardsbased methodology for managing information. CPI-RISC Information Risk Framework

More information

Introduction. Industry Changes

Introduction. Industry Changes Introduction The Electronic Safety and Security Design Reference Manual (ESSDRM) is designed to educate and inform professionals in the safety and security arena. The ESSDRM discusses trends and expertise

More information

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 Effective Date of this Policy: August 1, 2008 Last Revision: September 1, 2009 Contact for More Information: UDit Internal Auditor

More information

Computer Security Policy (Interim)

Computer Security Policy (Interim) Computer Security Policy (Interim) Updated May, 2001 Department of Information Systems & Telecommunications Table of Contents 1. SCOPE...1 2. OVERVIEW...1 3. RESPONSIBILITIES...3 4. PHYSICAL SECURITY...4

More information

Circular to All Licensed Corporations on Information Technology Management

Circular to All Licensed Corporations on Information Technology Management Circular 16 March 2010 Circular to All Licensed Corporations on Information Technology Management In the course of our supervision, it has recently come to our attention that certain deficiencies in information

More information

Information Technology Cyber Security Policy

Information Technology Cyber Security Policy Information Technology Cyber Security Policy (Insert Name of Organization) SAMPLE TEMPLATE Organizations are encouraged to develop their own policy and procedures from the information enclosed. Please

More information

Autodesk PLM 360 Security Whitepaper

Autodesk PLM 360 Security Whitepaper Autodesk PLM 360 Autodesk PLM 360 Security Whitepaper May 1, 2015 trust.autodesk.com Contents Introduction... 1 Document Purpose... 1 Cloud Operations... 1 High Availability... 1 Physical Infrastructure

More information

Ohio Supercomputer Center

Ohio Supercomputer Center Ohio Supercomputer Center IT Business Continuity Planning No: Effective: OSC-13 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original

More information

University of Brighton School and Departmental Information Security Policy

University of Brighton School and Departmental Information Security Policy University of Brighton School and Departmental Information Security Policy This Policy establishes and states the minimum standards expected. These policies define The University of Brighton business objectives

More information

Information Security Policy Best Practice Document

Information Security Policy Best Practice Document Information Security Policy Best Practice Document Produced by UNINETT led working group on security (No UFS126) Authors: Kenneth Høstland, Per Arne Enstad, Øyvind Eilertsen, Gunnar Bøe October 2010 Original

More information

Information Security Awareness Training

Information Security Awareness Training Information Security Awareness Training Presenter: William F. Slater, III M.S., MBA, PMP, CISSP, CISA, ISO 27002 1 Agenda Why are we doing this? Objectives What is Information Security? What is Information

More information

Montclair State University. HIPAA Security Policy

Montclair State University. HIPAA Security Policy Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that

More information